Information Security

I am looking to get feedback on how others handle the review of the SOC reports for SOX vendors to ensure that the vendor controls are adequate; as well as, reviewing to ensure that Complimentary User Entity Controls are in place.  Our Risk/Product Manager for the Vendor is responsible for completing the initial review.  As a secondary review, we were trying to have our Finance team, who oversees the SOX Business Processes, Controls, and Risks complete a review of the Risk/Product Managers review to ensure that we have the controls properly addressed.  There has been some pushback with this, so I was hoping to get others thoughts on how they handle this process.  Thank you.  

Hi Michael, With regard to SOC reports, I'll offer a couple of things I learned from working at a large fortune 100 company.  First, I'm assuming you're only sending SOC 1 reports to your financial / SOX team. The SOC 1 reports are meaningful to them as they relate to the financial controls and the related ITGCs that might affect the SOX team's responsibility area.  The SOC 2 reports are more focused on the 5 trust principles and are more operationally / technical controls focused.  Along those same lines, is the organizational applicability question.  Specifically, if the SOX team maintains a list of their in scope (vendors that might impact financials), they are going to be somewhat resistant to looking at SOC reports if they are not related to their list. So, if you are wanting them to opine on a SOC 1, they probably are already reviewing it (if it's in their scope), while if you want them to review either a SOC 2 (or even a SOC 1) from a vendor that's not impactful to your organization's financial standing), you might obtain some pushback.

Just my thoughts.  I welcome anyone else's correction to my thinking, or additional clarification.

I am looking to get feedback on how others handle the review of the SOC reports for SOX vendors to ensure that the vendor controls are adequate; as well as, reviewing to ensure that Complimentary User Entity Controls are in place.  Our Risk/Product Manager for the Vendor is responsible for completing the initial review.  As a secondary review, we were trying to have our Finance team, who oversees the SOX Business Processes, Controls, and Risks complete a review of the Risk/Product Managers review to ensure that we have the controls properly addressed.  There has been some pushback with this, so I was hoping to get others thoughts on how they handle this process.  Thank you.  

I am looking to get feedback on how others handle the review of the SOC reports for SOX vendors to ensure that the vendor controls are adequate; as well as, reviewing to ensure that Complimentary User Entity Controls are in place.  Our Risk/Product Manager for the Vendor is responsible for completing the initial review.  As a secondary review, we were trying to have our Finance team, who oversees the SOX Business Processes, Controls, and Risks complete a review of the Risk/Product Managers review to ensure that we have the controls properly addressed.  There has been some pushback with this, so I was hoping to get others thoughts on how they handle this process.  Thank you.  

I'll chime in as well, but on the starter question.

As far as whether the controls are adequate, my experience with auditors is that this is determined by your policies and procedures.

Now, with that non-answer out of the way, I would recommend that you create a checklist with controls that you feel are appropriate and feasible. One way is to start with a vendor that you are confident is doing a sufficient job, and use that as a template. If you are looking at internal mitigation controls, then start with that CUEC list [or a more robust one from another vendor, and add in the vendor specific ones] and build from there.

The advantage of a checklist is that it is a relatively static thing, and shapes the review for those who feel they are either too busy or not qualified to review. Auditors often like it because it shows a consistency of review.

But, as with all things, your mileage may vary.

I am looking to get feedback on how others handle the review of the SOC reports for SOX vendors to ensure that the vendor controls are adequate; as well as, reviewing to ensure that Complimentary User Entity Controls are in place.  Our Risk/Product Manager for the Vendor is responsible for completing the initial review.  As a secondary review, we were trying to have our Finance team, who oversees the SOX Business Processes, Controls, and Risks complete a review of the Risk/Product Managers review to ensure that we have the controls properly addressed.  There has been some pushback with this, so I was hoping to get others thoughts on how they handle this process.  Thank you.